Reference

Glossary

Last updated: 2026-06-11

Identity terms

Identity
A named, cryptographically-anchored party in the HexaEight system. Either a user identity (an email address) or an agent identity (a hostname).
User identity
An email address authenticated via the HexaEight Authenticator mobile app. Bound to the person, not to a machine.
Agent identity
A hostname bound to a specific machine through an activation process. Either a generic auto-generated name (web0-bliss-cyan-...) or a custom hostname (agent01.acme.com).
Activation
The one-time process that binds an identity license to a specific machine. Produces env-file and hexaeight.mac.
SourceId
The opaque cryptographic identifier the platform issued at activation. Appears in the wire envelope header so receivers can fetch the matching decryption key.

Messaging terms

Envelope
An encrypted message that the SDK produces and consumes. A long opaque string sent over any transport.
Body
The plaintext content of a message, inside the encrypted envelope.
KGT
Key generation time — a 15-minute time window used to derive shared keys. Encoded in the envelope's wire header.
Session
A persistent conversation between two parties identified by a session ID. Lets both sides skip per-message platform calls.
Final recipient
A payload claim set by the original sender indicating the intended end recipient when relaying through an intermediary.
Original sender
A payload claim set by a relay agent indicating who originally produced a message that the relay is forwarding.
Multi-party chain
An ordered list of recipients a message must pass through, each peeling one layer of encryption.

Authorization terms

Policy
The full set of rules the SDK evaluates against messages.
Rule
A single line in the policy file specifying sender, destination, realm, direction, and effect (allow/deny).
Realm
The scope a rule applies in: default, app:<X>, session:<Y>, or user:<Z>.
Direction
Either inbound (receiving) or outbound (sending).
Effect
Either allow or deny. Deny always wins when multiple rules match.
Bootstrap mode
The initial state when no rules are configured. Allows all messages until the first rule is added.
AutoEnforce
The on/off switch for automatic policy checking on encrypt/decrypt. Default ON.
Tier 1 / Tier 2 / Tier 3 / Tier 4
User-level / session-level / app-level / default rules, in increasing order of generality.

Scaling terms

Swarm
Multiple machines running the same agent identity, sharing an encrypted policy and coordinating via distributed locks.
Swarm Key
A shared secret known to all swarm members. Encrypts the shared policy file and lock files. Separate from any machine's activation password.
Quorum storage
The location (file share, cloud storage) where the swarm's shared encrypted state lives. All members must be able to read and write here.
Distributed lock
A primitive provided by the SDK that lets one swarm member at a time hold exclusive access to a named resource.

Cryptographic terms

DDE
Dead Drop Encryption — the cryptographic primitive HexaEight is built on. Allows two parties to derive a shared key without exchanging public keys.
ASK
Asymmetric Shared Key — the result of DDE key derivation. Each side gets its half; the platform never holds the combined key.
Protection hash
A SHA-512 hash of the sending application's binary (or URL for browser apps). Carried in the encrypted payload and used by app-level rules.